Ransom Warrior
Ransom Warrior is a ransomware that runs on Microsoft Windows. It was discovered by MalwareHunterTeam. It was developed by a hacker group from India (self-name). Payload Transmission Ransom Warrior can be spread by hacking through an insecure RDP configuration, using email spam and malicious attachments, deceptive downloads, botnets, exploits, web injects, fake updates, repackaged and infected installers. Infection Ransom Warrior stealthily infiltrates the computer and encrypts most stored files, thereby making them unusable. In addition, Ransom Warrior renames files using the "random_word.THBEC" pattern (e.g., "sample.jpg" might be renamed to a filename such as "DEX.THBEC"). Therefore, it becomes impossible to distinguish files. Following successful encryption, Ransom Warrior opens a pop-up window containing a ransom-demand message. As with most ransomware, the message simply states that files have been encrypted and can only be restored with a unique key. Unfortunately, this is accurate. Although it is currently unknown whether Ransom Warrior uses symmetric or asymmetric cryptography, a unique key (generated individually for each victim) is necessary to decrypt data. All keys are stored on a remote server and users are encouraged to pay a ransom for their release. The cost of Ransom Warrior decryption is $349 and must be paid in Bitcoins. Furthermore, users are encouraged to submit payment within 24 hours after encryption, otherwise all data is supposedly deleted permanently. Text presented in RansomWarrior ransomware pop-up window: Message for you from RansomWarrior 1.0 Hello, we are a group of dedicated hackers from India. We have encrypted all your files so we can get your money. All your important files has been encrypted which means you are going to pay us a ransom of 349 USD in Bitcoins. So first of all you can decrypt to of your important files and we will show you which files has been decrypted. Just so you can see that we do have your decryption key, and you will be able to buy it from us. You won't be able to get your important files back if you don't buy your decryption key. Notice a clock on the side, when that date arrives your important files will be deleted(You have 24 hours to pay the ransom). You will be able to get Bitcoins, at sites such as coinbase.com or localbitcoins.com. There are also others, but usually these are the usual choice(Make sure to get a little bit more Bitcoins, due to transaction fees and the crypto currency is very volatile. It's also a good idea to get the Bitcoins, as soon as possible, because sometimes the purchasing process can take hours. You would also need a wallet for your Bitcoins if you are not using the coinbase.com wallet. When you have your Bitcoins in your wallet. You are going to download and install the tor browser. Go to torproject.org and then follow the instructions given there. You need the tor browser, because our payment website is located in darknet. When you have downloaded and installed the tor browser. Go to this link: zpkjjp57apz76k3q.onion\Pay\PayThis\Payment_1000204.PHP When you are on the website, you simply transfer your Bitcoins to the address that are provided to you(You can copy the address and then paste it in your Bitcoin wallet when you are transfering the Bitcoins). When your Bitcoins arrive to our wallet, you will be notified and then be able to download the decryption key. When you have your decryption key, simply place the key in your C:\ And then get all your important files back. The ransomware will then decrypt everything and remove itself. Here is the entire lists of the way it's done: 1. Decrypt 2 important files as proof of decryption key and we decrypt to keep a good reputation about RansomWarrior 1.0. 2. Get a Bitcoin wallet(If needed) 3. Get the Bitcoins from coinbase.com or localbitcoins.com or an alternative. 4. Download and install the tor browser from torproject.org 5. Go to our website: zpkjjp57apz76k3q.onion\Pay\PayThis\Payment_1000204.PHP 6. Pay your Bitcoins to the Bitcoin address showed. 7. When accepted download your decryption key and put it in your C:\. 8. Then decrypt all of your important files and wait till the ransomware deletes itself. Bonus tips: 1. Do this process as fast as possible. to make sure you get your important files back.(Due to Bitcoins sometimes take some time.) 2. If you are old and this seems confusing, get help from a younger relative or equivalent. 3. Always remember that the clock is ticking. 4. Do not attempt to adjust any of the files in the folder or try to adjust the clock on your computer. This can cause the ransomware to delete itself along with your important files. 5. If you do no. 4 make sure you have technical experience. 6. We will decrypt your important files for our price stated, destroying things is not something we want to do. 7. Save your time(It's limited) by not reporting it to the police, they can't help you anyways(And will jut turn your away). 8. Also disable your anti malware software, because this can delete the ransomware(And we can't guarantee your important files). 9. Have a good day with the love from India. After successfully decrypting the files, the following window appears with the title "Thank You!" The window saids the following: All of your important files has been decrypted, you are now free from RansomWarrior 1.0. We want to thank you for your money, it means a lot. RansomWarrior 1.0 will be set to self-destruct. Category:Ransomware Category:Win32 ransomware Category:Microsoft Windows Category:Win32 Category:Win32 trojan Category:Trojan Category:Assembly